Cross-domain authentication is here! Big milestone reached!

Exposing Steem content to external world was our goal from the very beginning. Engrave was designed to become a platform which will allow users to create blogs and build brand awareness under own domain. But this is all impossible without users interaction.

Months ago, blogs' users were able to log in on every Engrave-powered blog using Steemconnect. But due to technical reasons, users had to log in independently on every blog which was a huge disadvantage and usability killer. We were aware of that, and after rewriting almost entire codebase (you can read about it in our previous blog post) to microservices, we were ready to implement solution for that.

After 25 commits and almost 10.000 changes across 146 files, it's time to introduce cross-domain authentication.

Interact with every blog easily

What does it mean in simple words? From yesterday on, you are able to log in on any blog and interact with every other without the need to log in again. It doesn't matter if the blog was created in a subdomain (like https://enjoycompany.engrave.site) or in the top-level domain like https://krzysztofszumny.pl/ or https://hobo.media/ - you will be logged in on every Engrave's blog for next 7 days.

Check it by yourself, it's fast and simple. Login on the first mentioned blog, visit the second one and check header menu. You will be logged in automatically!

We also fixed and improved all three templates on the occasion. From now, every template has integrated automatic login mechanism and the ability to read, post comment and vote in everything directly from the blog. Every blog.

And of course, it's working on mobile phones too. You know, just saying.

Security

Developing blockchain powered applications is quite complicated from the security point of view. Having your Steem private keys is like having keys to your apartment or even bank account. Lot of us have a small fortune here and we really care about security. That's why we were working on it a little bit longer than expected.

Minimal privileges

We don't want to have your keys, seriously. That's why we are using Steemconnect from the very beginning. But even with Steemconnect, it's possible to have more power than necessary. It's like with an Android Flashlight app which requires access to your private data, internet connection, and contact book.

While logging into blogs, Engrave only requires posting privileges for Vote and Comment. After all, everything you probably want to do on those blogs is to vote and comment good (or bad) quality articles.

Vault

But what to do when you already have users sensitive data like for example access tokens? Store it in industrial proved and secure place, like Hashicorp Vault system used by for example Adobe or Spaceflight corporations.

Every access token received from Steemconnect is encrypted and stored in a secure vault. Hashicorp Vault itself is secured by 5 master keys which need to be provided after every restart in order to decrypt data. Otherwise, it's impossible to have access to it.

JSON Web Token

Your secret keys don't even leave our server which is much more secure than sending it over and over through Internet network. We are using JWT tokens to authenticate you on blogs and this token is only able to authenticate you in our API. Even if someone steals it - it's useless in place other than Engrave, so you don't need to worry.

Next milestones

We are aware of some technical problems and visual imperfections of blogs' templates and dashboard. We will fix every bug, either it is small or big. We're doing everything we can to provide the best possible solution for both bloggers and readers but our time is limited. This is how our life and work looks like:

So... please be patient... but also use Engrave, test everything, give us feedback and resteem this post. Without that, it's impossible to go forward!

We already wrote a long post about Engrave future but due to a completely new architecture introduced two weeks ago, some of them might be outdated, some of them has been changed and some of them will be introduced sooner than later and it will be exciting.

If you see this project interesting and useful, consider voting on us as we are a Witness called @wise-team. We are a group of people that just want to bring bright future for Steem network. Check our webpage https://wise-team.io and see our other projects.

One of our next biggest milestone, which we will introduce soon, is the ability to create Engrave blogs on demand for people without Steem account. Unfortunately, our investment into Steem Power let us only claim one single account every few days. While developing a technical solution, we do claim accounts even now to be ready. But it's not enough... we want to bring more and more people here!

You can easily help us reach our goals by just voting on us. But you know, no pressure.